Âü°í/À̹ÌÁö Ãâó
OpenStack Nova-Networking
- Flat Network Manager
In this mode, a network administrator specifies a subnet. IP addresses for VM instances are assigned from the subnet, and then injected into the image on launch. Each instance receives a fixed IP address from the pool of available addresses. A system administrator must create the Linux networking bridge (typically named br100, although this is configurable) on the systems running the nova-network service. All instances of the system are attached to the same bridge, which is configured manually by the network administrator.
Note
Configuration injection currently only works on Linux-style systems that keep networking configuration in /etc/network/interfaces.
1) Network °ü¶óÀÚ¿¡ ÀÇÇØ ¸í½ÃµÈ ¼ºê³ÝÀÌ ÀÖÀ¸¸ç VM¿¡ ÇÒ´çµÈ IP´Â ¼ºê³Ý¿¡ ¼ÓÇØ¾ß ÇÑ´Ù.
2) ÇÒ´çµÈ IP´Â config ÆÄÀÏ ÇüÅ·ΠÁ÷Á¢ VM À̹ÌÁö¿¡ »ðÀԵȴÙ.
3) Network ³ëµåµéÀº default gateway·Î ÀÛµ¿ÇÏÁö ¾Ê°í VMµéÀº Public IP¸¦ ¹Ù·Î ÇÒ´ç¹Þ°Å³ª ¿ÜºÎ¿¡ DHCP¼¹ö¸¦ ÅëÇØ ¾ÆÀÌÇǸ¦ ÇÒ´ç¹Þ´Â´Ù.
4) ¸ðµç VMÀº °¡¿ëÁÖ¼Ò ¹üÀ§³»¿¡¼ °íÁ¤µÈ IP¸¦ »ç¿ëÇÑ´Ù.
5) nova-network ³ëµå¿Í nova-compute ³ëµå°£¿¡ br100À̶ó´Â ºê¸®Áö ³×Æ®¿öÅ·ÀÌ ¼³Á¤µÇ¾î¾ß ÇÑ´Ù.
6) ½Ã½ºÅÛ»óÀÇ ¸ðµç VMÀº µ¿ÀÏ ºê¸®Áö(br100)¿¡ ºÙ°í °ü¸®ÀÚ¿¡ ÀÇÇØ °ü¸®/»ý¼ºµÈ´Ù.
7) OpenStack Compute´Â iptables/ebtables ¿£Æ®¸®°¡ ÇÁ·ÎÁ§Æ®º°·Î »ý¼ºµÈ´Ù.
- Flat DCHP Network Manger
In this mode, OpenStack starts a DHCP server (dnsmasq) to allocate IP addresses to VM instances from the specified subnet, in addition to manually configuring the networking bridge. IP addresses for VM instances are assigned from a subnet specified by the network administrator.
Like flat mode, all instances are attached to a single bridge on the compute node. Additionally, a DHCP server configures instances depending on single-/multi-host mode, alongside each nova-network. In this mode, Compute does a bit more configuration. It attempts to bridge into an Ethernet device (flat_interface, eth0 by default). For every instance, Compute allocates a fixed IP address and configures dnsmasq with the MAC ID and IP address for the VM. dnsmasq does not take part in the IP address allocation process, it only hands out IPs according to the mapping done by Compute. Instances receive their fixed IPs with the dhcpdiscover command. These IPs are not assigned to any of the host's network interfaces, only to the guest-side interface for the VM.
In any setup with flat networking, the hosts providing the nova-network service are responsible for forwarding traffic from the private network. They also run and configure dnsmasq as a DHCP server listening on this bridge, usually on IP address 10.0.0.1 (see DHCP server: dnsmasq ). Compute can determine the NAT entries for each network, although sometimes NAT is not used, such as when the network has been configured with all public IPs, or if a hardware router is used (which is a high availability option). In this case, hosts need to have br100 configured and physically connected to any other nodes that are hosting VMs. You must set the flat_network_bridge option or create networks with the bridge parameter in order to avoid raising an error. Compute nodes have iptables or ebtables entries created for each project and instance to protect against MAC ID or IP address spoofing and ARP poisoning.
Note
In single-host Flat DHCP mode you will be able to ping VMs through their fixed IP from the nova-network node, but you cannot ping them from the compute nodes. This is expected behavior.
1) Compute ³ëµå³»¿¡ DHCP(dnsmasq) ¼¹ö°¡ ¿î¿µµÈ´Ù´Â °ÍÀ» Á¦¿ÜÇÏ°í ±âº»ÀûÀ¸·Î Flat Network Manager ¹æ½Ä°ú µ¿ÀÏÇÏ´Ù.
2) IP¸¦ VM¿¡ ÇÒ´çÇϱâ À§ÇØ, Compute ³ëµå³»¿¡ DHCP(dnsmasq)¼¹ö°¡ »ç¿ëµÈ´Ù.
3) »ç¿ëµÇ°í ÀÖ´Â ¼ºê³Ý¿¡¼ ƯÁ¤¹üÀ§(º°µµ Á¤ÀÇ)¸¦ DHCP ¼³Á¤°ªÀ¸·Î Àâ´Â´Ù.
4) IP Á¤º¸ÆÄÀÏÀ» À̹ÌÁö¿¡ ³Ö´Â´ë½Å DHCP·ÎºÎÅÍ IP¸¦ ÇÒ´ç ¹Þ°Ô µÈ´Ù.
- VLAN Network Manger
This is the default mode for OpenStack Compute. In this mode, Compute creates a VLAN and bridge for each tenant. For multiple-machine installations, the VLAN Network Mode requires a switch that supports VLAN tagging (IEEE 802.1Q). The tenant gets a range of private IPs that are only accessible from inside the VLAN. In order for a user to access the instances in their tenant, a special VPN instance (code named cloudpipe) needs to be created. Compute generates a certificate and key for the user to access the VPN and starts the VPN automatically. It provides a private network segment for each tenant's instances that can be accessed through a dedicated VPN connection from the internet. In this mode, each tenant gets its own VLAN, Linux networking bridge, and subnet.
The subnets are specified by the network administrator, and are assigned dynamically to a tenant when required. A DHCP server is started for each VLAN to pass out IP addresses to VM instances from the subnet assigned to the tenant. All instances belonging to one tenant are bridged into the same VLAN for that tenant. OpenStack Compute creates the Linux networking bridges and VLANs when required.
1) OpenStack ComputeÀÇ ±âº»¸ðµå ÀÌ´Ù.
2) °¢°¢ÀÇ ÇÁ·ÎÁ§Æ®º°·Î VLAN°ú Bridge¸¦ »ý¼ºÇÑ´Ù.
3) Multi Compute ³ëµå¿î¿µÀ» À§ÇØ À̵éÀ» ¿¬°áÇÏ°í ÀÖ´Â Switch Àåºñ´Â VLAN tagging (IEEE 802.1Q)¸¦ Áö¿øÇØ¾ß ÇÑ´Ù.
4) ÇÁ·ÎÁ§Æ® ´ÜÀ§µéÀº ¿ÀÁ÷ VLAN ³»ºÎ¿¡¼¸¸ Á¢±Ù °¡´ÉÇÑ Private IP ¹üÀ§¸¦ °¡Áø´Ù.
5) ÇÁ·ÎÁ§Æ®¿¡ ¼ÓÇÑ VM¿¡ Á¢±ÙÇϱâ À§Çؼ´Â ÇÁ·ÎÁ§Æ® ´ÜÀ§·Î º°°³ÀÇ Cloudpip¶ó´Â VMÀÌ »ý¼ºµÈ´Ù.
6) OpenStack Compute »ç¿ëÀÚ°¡ VPN¿¡ Á¢±Ù °¡´ÉÇÏ°Ô Çϱâ À§ÇØ ÀÎÁõÅ°¸¦ ¸¸µé°í VPN ¼ºñ½º¸¦ ½ÃÀÛÇÑ´Ù.
7) VPN ½Ã½ºÅÛÀº ÇÁ·ÎÁ§Æ®º°·Î ±×¿¡ ¼ÓÇÑ VMµéÀ» ¸Á ¿ÜºÎÀÇ End-User°¡ µ¿ÀÏ Network ó·³ º¸À̵µ·Ï ÇÏ´Â Private Network¸¦ Á¦°øÇÑ´Ù.
8) °¢°¢ÀÇ ÇÁ·ÎÁ§Æ®´Â °³º° VLAN, LInux Networking Bridge, SubnetÀ» °¡Áø´Ù.
9) ÀÌ 3°¡ÁöÁß SubnetÀº Network °ü¸®ÀÚ¿¡ ÀÇÇØ Á¤Àǵǰí, ÇÁ·ÎÁ§Æ®°¡ ÇÊ¿ä·Î ÇÒ¶§ µ¿ÀûÀ¸·Î ÇÒ´çµÈ´Ù.
10) DHCP ¼¹ö´Â °¢°¢ÀÇ VLAN, ÇÁ·ÎÁ§Æ®º°·Î ÇÒ´çµÈ Subnet Á¤º¸¸¦ ±â¹ÝÀ¸·Î ½ÃÀ۵Ǹç ÇÁ·ÎÁ§Æ®¿¡ ¼ÓÇÑ VMµé¿¡ IP¸¦ ÇÒ´çÇÑ´Ù.
11) ÇϳªÀÇ ÇÁ·ÎÁ§Æ®¿¡ ¼ÓÇÑ ¸ðµç VMµéÀº °°Àº VLAN¿¡ ¼ÓÇÑ´Ù.
12) ±â´É¿¡ ÇÊ¿äÇÑ Linux Networking Bridge ¹× VLAN µéÀº OpenStack Compute°¡ »ý¼ºÇÑ´Ù.
¡Ø Cloudpipe
a. Cloudpipe´Â VlanManager ¸ðµå¿¡¼, End-User°¡ ±×µé ¼ÒÀ¯ÀÇ Project(with VLAN)¿¡ ¼ÓÇÑ VM¿¡ Á¢¼ÓÇϱâ À§ÇÑ ¹æ¹ý(Method)ÀÌ´Ù.
b. Cloudpipe¼öÇà ÄÚµå´Â End-User°¡ Project¿¡ ÇÒ´çµÈ Private Network¿¡ VPNÁ¢¼ÓÀÌ °¡´ÉÇÏ°Ô²û ÇØÁÖ´Â VPN GatewayÇüÅÂÀÇ VMÀ» nova-manage¶ó´Â °ü¸®ÀÚ Command¸¦ »ç¿ëÇØ ÀÚµ¿À¸·Î »ý¼ºÇÑ´Ù.
c. ÀÌ VPNÀ¸·ÎÀÇ Á¢±ÙÀº Project¸¦ À§ÇØ »ç¿ëµÇ°í ÀÖ´Â Network HostÀÇ Public Port¸¦ ÅëÇØ Á¦°øµÈ´Ù.
d. ÀÌ VPN¹æ½ÄÀº, Public Internet¿¡ ³ëÃâ¾øÀÌ(º¸¾È), End-User°¡ Project¿¡ ÀÖ´Â VMµé·ÎÀÇ Á¢±ÙÀ» ¿ëÀÌÇÏ°Ô ÇÔ.
e. VPNÀ» ´ã´çÇÏ´Â Àü¿ë VMÀº, LinuxÀ̸ç, »çÀü¿¡ OpenVPNÀÌ ¼³Ä¡µÇ¾î ÀÖ¾î¾ß ÇÑ´Ù.
f. Nova¿Í ¿¬µ¿µÇ±â À§Çؼ, autorun.shÀ̶ó´Â OpenVPNÀ» ¼³Á¤ÇÏ°í ½ÃÀÛ½ÃÅ°´Â script°¡ Á¸ÀçÇÑ´Ù.
g. autorun.sh´Â Nova·ÎºÎÅÍ È¯°æÁ¤º¸¸¦ ÀÐ¾î ´ã´çÇÏ´Â ProjectÀÇ VLAN¿¡ ¸Â´Â VPN¼ºñ½º°¡ ±¸µ¿µÇ°Ô²û ÇÑ´Ù.
h ¶ÇÇÑ, ÀÌ autorun.sh´Â Cron¿¡ µî·ÏµÇ¾î, ÁÖ±âÀûÀ¸·Î Metadata¸¦ Àç´Ù¿î·Îµå Çϵµ·Ï ÇÏ°í, »õ·Î¿î crl¸¦ º¹»çÇÑ´Ù.
i cronÀ» ÅëÇÑ ÁÖ±âÀûÀÎ Update ÀÛ¾÷À» ÅëÇØ, Áõ¸í¼¸¦ Àç¹ß±Þ ¹Þ°Ô µÉ¶§, ±âÁ¸ Áõ¸í¼¸¦ ÅëÇØ ¿¬°áµÈ ¼¼¼ÇÀº Á¦°ÅµÈ´Ù.